By Jeffrey C. Price and Lori Beckman
Airport security managers throughout the United States are responsible for the computerized physical access control systems (PACS), which allow thousands of workers into secure areas of the airport on a daily basis. Many of these systems were upgraded shortly after 9/11, but now time is coming for the next upgrade. What questions should airport security managers ask potential vendors about how their systems are addressing today’s evolving cyber vulnerability’s?
The threat to aviation continues to evolve, getting more sophisticated and we’re now seeing more about the use of insider personnel. Both, Metrojet 9268, which went down last October after departing from the Egyptian resort of Sharm el-Sheikh, and Daallo Airlines 159, which went down as it departed from Aden Adde International Airport in the Somali capital Mogadishu, are suspected to be from bombs placed on the plane by insiders (i.e. airport workers).
Upgrading the access control system can provide an excellent opportunity for an airport security director to shore up the defenses against both cyber and insider threats, but if handled improperly, can leave gaping holes in the system. The TSA continues to focus on the insider threat, recently releasing more guidance to airports focused on airport workers.
Access control and badging systems control employee access throughout the airport, and help keep the public out of areas they do not belong. Access controls are similar to the locks on the door of a house, just much more sophisticated. Badges are like the keys to the house, so security directors want to be sure that (a) the “locks” work and when there is an intrusion, it lets personnel know about it, and (b) that the “keys” (e.g. badges) are issued only to those with access, and their access is limited to only the areas they need to go.
After 9/11, many airports upgraded their access control and credentialing systems to a level of operation that we see in place today. Estimated shelf life of a physical access control system today is about 15 years. Many airports have systems that are 20-25 years old. Those airports should have design and replacement in their capital budgets by now, otherwise they may be looking for spare parts on Ebay and Craigslist.
The first step in upgrading or replacing the PACS is to obtain a copy of the Radio Technical Commission for Aeronautics (RTCA) document DO-230E Standards for Airport Security Access Control Systems. RTCA covers credentialing, biometrics, PACS, Perimeter Intrusion Detection Systems (PIDS), video surveillance systems, security operations centers, integration, communications infrastructure, and cyber security, as major topics. Also, airport operators should obtain a copy of TSA’s Recommended Guidance for Airport Planning, Design and Construction and Biometrics use for Access Control and Credentialing at U.S. Commercial Airports.
Try ObserveIT’s Insider Threat Management Software
The next step in upgrading or replacing the access control system is to hire an experienced airport security design consultant, rather than consultants without airport work under their belt. Airports are too unique in their operation to have people who don’t understand how one functions, and trying to learn as they go.
All airport stakeholders should be involved in the design of the system. Do not assume that one airline or tenant can represent the needs and perspectives of everyone on the airport. A system integrator should be brought in during the design phase to assist in finalization of the design if possible. The airport should also consider the use of a GM/GC for the procurement and installation of the system. Also, when it comes to your new PACS stay away from cutting edge technology for a bit. Let them work out the kinks before you buy.
Rather than replacing badge system, consider progressing to an identity management system (IDMS). IDMS vendors can integrate with many existing access control systems on the market, and will allow the airport to comply with issuance and audit requirements through rules-based programming. Essentially, allowing employees only the information or access they need, when they need it. IDMS systems push the data entry to the company’s Authorized Signatory for new badge applicants, reduce the workload of a badge renewal to clicking on a hyperlink. This allows airport security staff to spend more time interacting with badging customers and less time with their heads down typing in data.
Some of the IDMS vendors are incorporating analytics, which will allow the security director to take potential irregular behaviors/activity and have a “human” take a closer look. These types of tools will allow the airport to better comply with potential requirements from the Aviation Security Advisory Committee (ASAC) recommendations in the future as well. However, many PACS vendors say they have IDMS, but do not – they are hoping in some cases that your airport will be their first.
New access control systems should have the capability to interface with biometrics in the future and airport security managers should consider installing biometrics at key access points regardless of regulatory requirements. Biometrics are a good deterrence to insider threat issues. Airports have the option to install biometrics without replacing the PACS, biometric systems can run separate from the PACS through edge-control devices. This reduces overall cost, but the alarms and data on who attempted access does not go back to the ACAMS operator station or communications/security operations center, so it’s more difficult to troubleshoot a badge problem after the badging office closes for the night.
The type of ID card technology is also important to consider. A Personal Identity Verification (PIV) card is a United States Federal smart card that contains the necessary data for the cardholder to be granted to Federal facilities and information systems and assure appropriate levels of security. PIV cards meet government criteria, but airports cannot presently issue them because they are approved at the Federal level. However, it may make sense to have a PACS that’s PIV compatible, in case the standards are adopted, or required, in the future.
The insider threat to aviation continues to grow, with several recent airline bombings attributed to insiders. Airport access control and credentialing systems must become better at addressing the insider threat. It’s not enough to know where an employee has access – today their access needs to be directly related to their work, with the ability to monitor certain activities, raising or lowering the level of authorization or access as necessary. The importance of PACS is that those who use the system, bypass many of the security layers that are designed to prevent passengers from bombing or hijacking an airplane, so be sure you can trust them. Using software that can both track, and restrict activity and access is one of the best practices that airport’s should implement.
As PACS and badging systems are starting to come up on their service life, it’s an opportunity for airport security directors to look at both the present threat, and to look into the future, to select the best system for their airport. Choose wisely, because you’ll be living with the systems abilities for at least the next 15 years, and, this is your chance to include tools to reduce insider threat issues.
Special thanks to Lori Beckman of Airport Security Consulting who assisted in the writing of this blog entry.
Disclosures: some blogs may feature hyperlinks or direct comments/ads related to certain products or services, and for which I occasionally will receive some level of compensation. The editorial content on this page and my other blogs are not provided by any product or service provider, with the exception of certain clarifications as to the operation and/or performance of a product or service, often gathered through the course of my research, which may include interviews with individuals related to the product or service. In some cases, a blog that includes a link or ad to a product or service and that I received compensation to include in the blog, may have been reviewed by the advertiser in advance, but the final say on the content of the blog, is mine. Outside of banner ads, which are sometimes paid for directly, or placed by an ad placement service, any compensation does not impact my perspective on a product or serve, nor does it serve as an endorsement. However, I rarely will allow an ad or hyperlink to a product or service if I fundamentally don’t support said product or service.